1

I have written API using Django REST Frameword and Django oAuth Toolkit for oauth2 authentication and using Postman to test my API authorization process.

I have to send following curl request

curl -X POST -d "grant_type=password&username=<user>&password=<password>" -u "<client_id>:<client_secret" http://127.0.0.1:3333/auth/token/

I can generate access_token simply using Postman Get Access Token window

enter image description here

But I want to do it by sending a request and passing data using request form, so that I could test the API and also generate the documentation for auth.

Now, I can pass user data (username, password) in form-data but how to pass client_id and client_secret?

enter image description here

Anuj TBE
  • 9,198
  • 27
  • 136
  • 285
  • There are three options to send data to through POST Request, 1. Post Form Body, 2. Headers n 3. Url Params. Can you write how your API is consuming client_id and client_secret? Then, we can add these key-values pairs accordingly – nandal May 17 '18 at 19:39
  • you can see in curl request `-u` flag is used. and the way client id and secret is being sent is `client_id:client_secret`. there is no name parameter used in it. So, I think it is being sent in header. But I can not find any field to put `client_id` and `secret` in `Authorization` tab and `Headers` tab asks for key-value pair. – Anuj TBE May 17 '18 at 19:44

2 Answers2

2

For a full Postman answer, the way to accomplish this is with a pre-request script. The client id and the client secret are simply encoded with the base64 encoding scheme. Just do this:

enter image description here

Notice that client_id_client_secret is an environment variable. If you don't want to do that, then drop the first line and hard-code your client id and secret into CryptoJS.enc.Utf8.parse('my-trusted-client:mysecret'), where 'my-trusted-client' is the client id and 'mysecret' is the client secret.

Here's the code for copy/paste joy.

let keys = pm.environment.get('client_id_client_secret');
let encoded = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(keys));
pm.environment.set("base64_client_id_client_secret", encoded);

Now, create a header and include the variable you created:

enter image description here

The value part of that image:

Basic {{base64_client_id_client_secret}}

Now... just Postman bliss.

Software Prophets
  • 2,838
  • 3
  • 21
  • 21
1

curl encrypts the value of -u parameter, which we can see using -v (verbose)option.

Therefore, to collect the header's authorization value, use -v once with the curl command. It will print the raw request as following:-

$ curl -X POST -d "grant_type=password&username=<user>&password=<password>" -u "client_id:client_secret" http://127.0.0.1:3000 -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Rebuilt URL to: http://127.0.0.1:3000/
*   Trying 127.0.0.1...
* TCP_NODELAY set 
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
* Server auth using Basic with user 'client_id'
> POST / HTTP/1.1
> Host: 127.0.0.1:3000
> Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 55
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 55 out of 55 bytes
< HTTP/1.1 200 OK
< Content-Type: text/plain
< Date: Sat, 19 May 2018 07:09:35 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
<

In the above verbose log, we can see the Key Value pairs as 

> Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=

After collecting these key as "Authorization" and value as "Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=", you can use them in headers of the request through postman. "Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=" is the encrypted value generated using the -u "client_id:client_secret" option with curl.

Hope this will solve the auth problem using postman request.

nandal
  • 2,544
  • 1
  • 18
  • 23